Prerequisites Checklist

• Tenable Identity Exposure works with Windows Server 2016 with the latest available update.

• Tenable Identity Exposure installation program requires Local Administrator rights on Windows Server 2016. If the account used for the installation is the default account, ensure that this account can run programs without restrictions.

• Tenable Identity Exposure services require Local Administrator rights to run local services on the machine.

• Tenable Identity Exposure requires a dedicated data partition. Do not run Tenable Identity Exposure on the OS partition to prevent system freeze if the partition is full.

• Tenable Identity Exposure SQL instance requires the virtual accounts usage feature.

• When installing or upgrading Microsoft SQL Server after implementing tighter security measures, the installation process fails due to insufficient user rights. Check that you have the necessary permissions for a successful installation. For more information, see the Microsoft documentation.

• Tenable Identity Exposure must run as a black box. Dedicate each machine to Tenable Identity Exposure and do not share it with another product.

• Tenable Identity Exposure can create any folder starting with the ‘Alsid’ or ‘Tenable’ prefix on the data partition. Therefore, do not create folders starting with "Alsid" nor "‘Tenable" on the data partition.

• Erlang: Do not modify the HOMEDRIVE environment variable. The PATHEXT environment variable must contain the .exe and .bat file extensions.

• If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos authentication, because Protected Users cannot use NTLM authentication.

This table resumes the prerequisites in a handy checklist before installation.

Information or Resource to Reserve	Status
The required agreements (NDA, Evaluation Software License), if applicable
The choice of architecture (centralized or distributed)
The number of active AD users in the targeted domains to monitor
The computing and memory resources based on Tenable Identity Exposure’s sizing matrix.
The private IP of each virtual machine used to deploy Tenable’s platform
The type and IP address of the update management infrastructure
The type and IP address of the time server
The type and IP address of the PKI server
The type and IP address of the identity provider
Open required network flows for each service that Tenable Identity Exposure requires.
The private IP addresses of each Primary Domain Controller emulator
Creation of a regular user account on each Active Directory forest to monitor.
On the specific Active Directory containers, grant access right to the Tenable service account.
Grant access for Privileged Analysis if you want to enable this feature.
The AD domain user account login: Format: User Principal Name, for example “[email protected]” (recommended for Kerberos compatibility) or NetBIOS, for example “DomainNetBIOSName\SamAccountName”.
A TLS certificate issued for Tenable Identity Exposure’s Web Portal issued from the customer’s PKI Otherwise, inform Technical Lead of the use of self-signed certificate.
The list of Tenable Identity Exposure user accounts to create: Required information: first and last name, email address, and desired login.
The list of optional configurations to activate (email notification, Syslog event forwarding, etc.)
An identified and available project coordinator to work with Tenable.
Technical staff to respond to potential technical issues such as network filtering issue and unreachable PDCe.